gnu: icecat: Update to 140.3.0-gnu1 [security fixes].

For Firefox/IceCat, this fixes at least CVE-2025-6427, CVE-2025-6428,
CVE-2025-6431, CVE-2025-6432, CVE-2025-6433, CVE-2025-6434, CVE-2025-6435 and
CVE-2025-6436.

For Thunderbird/Icedove, this fixes too many CVEs to be named here. Consult
<https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird> to
read the details.

* gnu/packages/image.scm (libpng-apng-for-librewolf): Rename to...
(libpng-apng-next): ... this.
* gnu/packages/librewolf.scm (librewolf) [inputs]: Adjust accordingly.
* gnu/packages/gnuzilla.scm (icecat-minimal): Update to 140.3.0.
[#:configure-flags]: Add --disable-fhs.  Remove --enable-official-branding.
[#:phases] {apply-guix-specific-patches}: Apply
icecat-fhs-configure-option.patch.
{remove-cargo-frozen-flag}: Remove --frozen from rust.mk.
{install}: Also install a policies.json file to disable the Sync feature.
{install-desktop-entry}: Adjust and streamline.
{install-icons}: Use the 'unofficial' branding directory.
[inputs]: Replace libpng-apng with libpng-apng-next.  Replace icu4c with
icu4c-77.
[native-search-paths]: Replace ICECAT_SYSTEM_DIR with MOZILLA_SYSTEM_DIR.
(icecat-source): Remove obsolete cleanups.  Switch tarball compression to
zstd.
(make-l10n-package): No longer set GUIX_PYTHONPATH.
[#:phases] {build}: Register the "tb_common" mach site.
[native-inputs]: Replace python-wrapper with python. Add python-aiohttp,
python-async-timeout and python-dateutil.
(mozilla-115-compare-locales, mozilla-115-locale, mozilla-115-locales)
(update-mozilla-115-locales, all-mozilla-115-locales, %icecat-115-base-version)
(%icecat-115-version, %icecat-115-build-id
(icecat-115-source): Delete variables.
(mozilla-l10n): Update to correct changeset.
(format-locales): New procedure.
(%icecat-locales): Update.
(%icecat-base-version): Set to the version of mozjs.
(%icecat-build-id): Bump.
(%icedove-build-id): Bump.
(%icedove-version): Set to 140.3.0.
(thunderbird-comm-source): Update accordingly.
[patches]: New field.
(comm-source->locales+changeset): Delete variable.
(%icedove-locales): Regenerate.
(thunderbird-comm-l10n): Adjust URI, and switch to a git-fetch, to be able to
use pre-releases (the official release tarballs lag behind those of Firefox).
(icedove-source): Compress resulting tarball via zstd. Adjust patching based
on changed file names and content. Make "comm" files writable. Patch
MOZ_APP_NAME in "devtools/startup/DevToolsStartup.sys.mjs". Adjust
services.settings.server value to avoid a warning.
Adjust l10n copying, given we're now using a checkout again.
(icedove-minimal) [#:phases] {configure}: Do not set PYTHON. Add
'ac_add_options --enable-rust-simd' flag.
{do-not-verify-vendored-rust-dependencies}: New phase.
{patch-cargo-checksums}: Sync with IceCat, add "comm" directory.
{remove-cargo-frozen-flag}: Sync phase with that of IceCat.
[inputs]: Sort. Add ffmpeg. Remove gtk+-2. Replace nss with nss-rapid.
Replace icu4c with icu4c-77.
[native-inputs]: Replace clang-15 with clang-20, llvm-15 with llvm-20. Replace
rust-cbindgen-0.24 with rust-cbindgen.
* gnu/packages/patches/icedove-observer-fix.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/patches/icecat-compare-paths.patch: Update.
* gnu/packages/patches/icecat-use-system-wide-dir.patch: Rework, with the goal
to of upstreaming it.

Change-Id: Ib420388b9e7c7b59baa74920951afbda99cfe5a2

gnu/local.mk

@@ -1598,9 +1598,11 @@ dist_patch_DATA =						\
   %D%/packages/patches/icecat-makeicecat.patch			\
   %D%/packages/patches/icecat-avoid-bundled-libraries.patch	\
   %D%/packages/patches/icecat-compare-paths.patch		\
+  %D%/packages/patches/icecat-fhs-configure-option.patch        \
   %D%/packages/patches/icecat-use-system-graphite2+harfbuzz.patch	\
   %D%/packages/patches/icecat-use-system-media-libs.patch	\
   %D%/packages/patches/icecat-use-system-wide-dir.patch		\
+  %D%/packages/patches/icedove-observer-fix.patch               \
   %D%/packages/patches/icedtea-7-hotspot-aarch64-use-c++98.patch	\
   %D%/packages/patches/icedtea-7-hotspot-pointer-comparison.patch	\
   %D%/packages/patches/icu4c-icu-22132-fix-vtimezone.patch	\

gnu/packages/image.scm

@@ -332,8 +332,7 @@ APNG patch provides APNG support to libpng.")
 
 ;; Temporary, until 76798 merges into core-packages-team, and that merges into
 ;; master.
-(define-public libpng-apng-for-librewolf
+(define-public libpng-apng-next
-  (hidden-package
   (package
     (inherit libpng-apng)
     (version "1.6.46")
@@ -361,7 +360,7 @@ APNG patch provides APNG support to libpng.")
                            version "/libpng-" version "-apng.patch.gz"))
            (sha256
             (base32
-              "00ykl1bzb79xsjwrq7dl0yz9dz5g3zwj0lry5zam3vs6s3gw5gi9")))))))))
+             "00ykl1bzb79xsjwrq7dl0yz9dz5g3zwj0lry5zam3vs6s3gw5gi9"))))))))
 
 (define-public pngcrush
   (package

gnu/packages/librewolf.scm

@@ -641,7 +641,7 @@
                   libjpeg-turbo
                   libnotify
                   libpciaccess
-                  libpng-apng-for-librewolf
+                  libpng-apng-next
                   libva
                   libvpx
                   libwebp

gnu/packages/patches/icecat-compare-paths.patch

@@ -2,20 +2,11 @@ See comment in gnu/build/icecat-extension.scm.
 
 --- a/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
 +++ b/toolkit/mozapps/extensions/internal/XPIDatabase.sys.mjs
-@@ -3613,6 +3613,7 @@ const XPIDatabaseReconcile = {
+@@ -3753,6 +3753,7 @@
      if (
        newAddon ||
        oldAddon.updateDate != xpiState.mtime ||
 +      oldAddon.path != xpiState.path ||
-       (aUpdateCompatibility && this.isAppBundledLocation(installLocation))
+       (aUpdateCompatibility && this.isAppBundledLocation(installLocation)) ||
-     ) {
+       // update addon metadata if the addon in bundled into
-       newAddon = this.updateMetadata(
+       // the omni jar and version or the resource URI pointing
-@@ -3621,8 +3622,6 @@ const XPIDatabaseReconcile = {
-         xpiState,
-         newAddon
-       );
--    } else if (oldAddon.path != xpiState.path) {
--      newAddon = this.updatePath(installLocation, oldAddon, xpiState);
-     } else if (aUpdateCompatibility || aSchemaChange) {
-       newAddon = this.updateCompatibility(
-         installLocation,

gnu/packages/patches/icecat-fhs-configure-option.patch

@@ -0,0 +1,38 @@
+Upstream-status: https://phabricator.services.mozilla.com/D263231
+
+diff --git a/build/moz.configure/init.configure b/build/moz.configure/init.configure
+index 6162d68699dd..193272588caa 100644
+--- a/build/moz.configure/init.configure
++++ b/build/moz.configure/init.configure
+@@ -1351,3 +1351,17 @@ option(
+     help="Object code libraries in DIR",
+ )
+ set_config("libdir", depends("--libdir")(lambda ldir: ldir[0]))
++
++# Support for using platform-specific standard (FHS-like) locations.
++option(
++    "--enable-fhs",
++    default=True,
++    help="Enable the search of standard platform-specific (FHS-like) locations",
++)
++
++@depends("--enable-fhs")
++def use_fhs(value):
++    return bool(value)
++
++set_config("USE_FHS", use_fhs)
++set_define("USE_FHS", use_fhs)
+diff --git a/toolkit/xre/nsXREDirProvider.cpp b/toolkit/xre/nsXREDirProvider.cpp
+index 547cc4c255c4..79133c879be4 100644
+--- a/toolkit/xre/nsXREDirProvider.cpp
++++ b/toolkit/xre/nsXREDirProvider.cpp
+@@ -295,6 +295,9 @@ static nsresult GetSystemParentDirectory(nsIFile** aFile) {
+     localDir.forget(aFile);
+     return rv;
+   }
++#  ifndef USE_FHS
++  return rv;
++#  endif
+ 
+   // ... falling back to the conventional fixed location otherwise.
+ #  if defined(XP_MACOSX)

gnu/packages/patches/icecat-use-system-wide-dir.patch

@@ -1,36 +1,36 @@
-Replace "/usr/lib/mozilla" (the system-wide directory for extensions and
+Upstream-status: https://bugzilla.mozilla.org/show_bug.cgi?id=1986219
-native manifests) with "$ICECAT_SYSTEM_DIR".
 
+diff --git a/toolkit/xre/nsXREDirProvider.cpp b/toolkit/xre/nsXREDirProvider.cpp
+index 9c94cb8808aa..dfee051b302f 100644
 --- a/toolkit/xre/nsXREDirProvider.cpp
 +++ b/toolkit/xre/nsXREDirProvider.cpp
-@@ -296,24 +296,12 @@ nsresult nsXREDirProvider::GetBackgroundTasksProfilesRootDir(
+@@ -276,11 +276,27 @@ nsresult nsXREDirProvider::GetBackgroundTasksProfilesRootDir(
+  *
+  * On OSX this is /Library/Application Support/Mozilla
+  * On Linux this is /usr/{lib,lib64}/mozilla
+- *   (for 32- and 64-bit systems respsectively)
++ *   (for 32- and 64-bit systems respectively)
++ *
++ * The MOZILLA_SYSTEM_DIR environment variable can be used to override
++ * the system directory used.
+  */
  static nsresult GetSystemParentDirectory(nsIFile** aFile) {
-   nsresult rv;
+-  nsresult rv;
++  nsresult rv = NS_ERROR_FAILURE;
    nsCOMPtr<nsIFile> localDir;
--#  if defined(XP_MACOSX)
--  rv = GetOSXFolderType(kOnSystemDisk, kApplicationSupportFolderType,
--                        getter_AddRefs(localDir));
--  if (NS_SUCCEEDED(rv)) {
--    rv = localDir->AppendNative("Mozilla"_ns);
--  }
--#  else
--  constexpr auto dirname =
--#    ifdef HAVE_USR_LIB64_DIR
--      "/usr/lib64/mozilla"_ns
--#    elif defined(__OpenBSD__) || defined(__FreeBSD__)
--      "/usr/local/lib/mozilla"_ns
--#    else
--      "/usr/lib/mozilla"_ns
--#    endif
--      ;
--  rv = NS_NewNativeLocalFile(dirname, false, getter_AddRefs(localDir));
--#  endif
 +
-+  const char* systemParentDir = getenv("ICECAT_SYSTEM_DIR");
++  // Honor a the MOZILLA_SYSTEM_DIR environment variable first...
-+  if (!systemParentDir || !*systemParentDir) return NS_ERROR_FAILURE;
++  const char* systemParentDir = getenv("MOZILLA_SYSTEM_DIR");
-+
++  if (systemParentDir) {
-+  rv = NS_NewNativeLocalFile(nsDependentCString(systemParentDir), false,
++    rv = NS_NewNativeLocalFile(nsDependentCString(systemParentDir),
 +                               getter_AddRefs(localDir));
- 
++  }
-   if (NS_SUCCEEDED(rv)) {
++  if (NS_SUCCEEDED(rv)) {
-     localDir.forget(aFile);
++    localDir.forget(aFile);
++    return rv;
++  }
++
++  // ... falling back to the conventional fixed location otherwise.
+ #  if defined(XP_MACOSX)
+   rv = GetOSXFolderType(kOnSystemDisk, kApplicationSupportFolderType,
+                         getter_AddRefs(localDir));

gnu/packages/patches/icedove-observer-fix.patch

@@ -0,0 +1,35 @@
+
+# HG changeset patch
+# User Magnus Melin <mkmelin+mozilla@iki.fi>
+# Date 1757493192 0
+# Node ID 1cc168c9d0a5c55744d2886aa380f5a7bf712ef4
+# Parent  20980bc07105ebb761347e9c99937e572eedf03a
+Bug 1987834 - Don't remove not added observer of AUTO_UPDATE_CHANGED_TOPIC when MOZ_UPDATER is off. r=john.bieling
+
+Differential Revision: https://phabricator.services.mozilla.com/D264376
+
+diff --git a/mail/components/preferences/general.js b/mail/components/preferences/general.js
+--- a/mail/components/preferences/general.js
++++ b/mail/components/preferences/general.js
+@@ -2175,17 +2175,19 @@ var gGeneralPane = {
+     }
+ 
+     return /^https?/.test(uri.scheme) ? uri.resolve("/favicon.ico") : "";
+   },
+ 
+   destroy() {
+     window.removeEventListener("unload", this);
+ 
+-    Services.obs.removeObserver(this, AUTO_UPDATE_CHANGED_TOPIC);
++    if (AppConstants.MOZ_UPDATER) {
++      Services.obs.removeObserver(this, AUTO_UPDATE_CHANGED_TOPIC);
++    }
+     Services.prefs.removeObserver("mailnews.tags.", this);
+   },
+ 
+   // nsISupports
+ 
+   QueryInterface: ChromeUtils.generateQI(["nsIObserver"]),
+ 
+   // nsIObserver
+